users@glassfish.java.net

Problem verifying CRL Signature when CRL issuer is different from certificate

From: <forums_at_java.net>
Date: Mon, 27 Jun 2011 14:09:48 -0500 (CDT)

Hi,

CRL distribution point checking is working if the CRL is issued by the same
cert/key as the issuer of the client certificate (like this
example: http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_che.html#7). 
However, my goal is to have the CRLs issued by a separate key/cert, not the
issuer of the client certificate. 

Here is what my client cerificate looks like:

$openssl x509 -in client.crt -text -noout -certopt no_sigdump -certopt
no_pubkey
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1050 (0x41a)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Dev Sub CA
        Validity
            Not Before: Jun 25 18:50:44 2011 GMT
            Not After : Jun 24 18:50:44 2013 GMT
        Subject: CN=12345
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data
Encipherment, Key Agreement
            X509v3 Extended Key Usage: critical
                TLS Web Client Authentication
            X509v3 CRL Distribution Points:
                URI:http://localhost/crl.crl
                CRLissuer:<UNSUPPORTED>*

*note- openssl doesn't parse CRLissuer

Here is what my CRL looks like:

$ openssl crl -in crl.crl -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /CN=Dev CRL Server
        Last Update: Jun 25 21:35:29 2011 GMT
        Next Update: Jun 25 21:40:29 2011 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
               
keyid:B6:61:7F:D0:F4:35:07:D6:8A:94:23:9F:F3:43:7F:3D:B9:47:B8:2A
                DirName:/CN=Dev Sub CA
                serial:03:E8
            X509v3 CRL Number:
                1
            X509v3 Issuing Distrubution Point:
                0$......http://localhost/crl.crl......
Revoked Certificates:
    Serial Number: 01C3
        Revocation Date: Jun 25 21:35:29 2011 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                9

Here is my CRL server's certificate (which I added to the truststore)
$ openssl x509 -in dev-crl-server.crt -text -noout -certopt no_sigdump
-certopt no_pubkey
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Dev Root CA
        Validity
            Not Before: Jun 25 21:32:04 2011 GMT
            Not After : Aug 24 21:32:04 2030 GMT
        Subject: CN=Dev CRL Server
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                CRL Sign
 

The error I get on the Sun provider is this:

certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking
revocation status...
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for
CN=12345
certpath: Trying to fetch CRL from DP http://localhost/crl.crl [1]
certpath: Downloading new CRL...
certpath: idpName: URIName: http://localhost/crl.crl [2]
certpath: pointName: URIName: http://localhost/crl.crl [3]
certpath: CRL signature failed to verify
certpath: Returning 0 CRLs

The SUN provider is retriving the CRL but is not able to verify it.  Has
anyone had any success in a similar setup?  I'm trying to trace the code in
DistributionPointFetcher.java without much luck.

Thanks, Dave

 


[1] http://localhost/crl.crl
[2] http://localhost/crl.crl
[3] http://localhost/crl.crl 

--
[Message sent by forum member 'dpomeroy']
View Post: http://forums.java.net/node/816643
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.